Nasomi Community FFXI Server
https://na.nasomi.com/forum/

One time password or Authorize login
https://na.nasomi.com/forum/viewtopic.php?f=6&t=12270		 Page 4 of 4
Author:  sakuro [ Mon Oct 07, 2019 3:55 pm ]
Post subject:  Re: One time password or Authorize login
I would like to vote for an option to increase security but I feel that both of the presented options are not really that great... Mostly because they both start with "You would log into the account page" and there is nothing in either of these proposals to increase security of the account page. I would expect that most of these account take-overs happen due to a compromised forum account. Given that most people report that their alts and main get hacked at the same time, it must be via the forums account.

So some form of 2FA for the account page (ideally in my mind something like U2F) to lock down account logins, would allow Nasomi to have an option to only authorize game logins from IP addresses that have been recently logged into the account page. This would mean that for most people, you might only have to login to the account page every few days/weeks. In my case, I know my public IP address hasn't changed once since I moved into my current house three years ago. It could be optional and for most people it would provide a good mix of security and minimal change to how they are currently logging in.

It doesn't even need to be integrated with the forums login... While the account password and forums passwords are identical, 2FA could be only on the account page so that it would be code that Nasomi 100% controls. No problems with integrating with phpBB... But if Nasomi did want to do this for the forum accounts also I found this thread and is looks like there is active development and is nearing RC status so it would likely work. https://tinyurl.com/y6ffnmso

So in summary, Add some type of 2FA to the account page. And then add an option to restrict game logins to IP addresses that have recently been logged into the account page.
Author:  disposablehero [ Mon Oct 07, 2019 10:00 pm ]
Post subject:  Re: One time password or Authorize login
sakuro wrote:
I would like to vote for an option to increase security but I feel that both of the presented options are not really that great... Mostly because they both start with "You would log into the account page" and there is nothing in either of these proposals to increase security of the account page. I would expect that most of these account take-overs happen due to a compromised forum account. Given that most people report that their alts and main get hacked at the same time, it must be via the forums account.

So some form of 2FA for the account page (ideally in my mind something like U2F) to lock down account logins, would allow Nasomi to have an option to only authorize game logins from IP addresses that have been recently logged into the account page. This would mean that for most people, you might only have to login to the account page every few days/weeks. In my case, I know my public IP address hasn't changed once since I moved into my current house three years ago. It could be optional and for most people it would provide a good mix of security and minimal change to how they are currently logging in.

It doesn't even need to be integrated with the forums login... While the account password and forums passwords are identical, 2FA could be only on the account page so that it would be code that Nasomi 100% controls. No problems with integrating with phpBB... But if Nasomi did want to do this for the forum accounts also I found this thread and is looks like there is active development and is nearing RC status so it would likely work. https://tinyurl.com/y6ffnmso

So in summary, Add some type of 2FA to the account page. And then add an option to restrict game logins to IP addresses that have recently been logged into the account page.


yay sak used the words i dont know cuz im a moron :D
Author:  Petz [ Mon Dec 30, 2019 5:14 am ]
Post subject:  Re: One time password or Authorize login
2FA - (2 Factor Authentication)? Yes please.

The downside is when people forget to unsync the app from their phone when they upgrade. Going to need to do some basic workaround support for that. But in my experience that is way faster than having to deal with a hacked account and people getting screwed out of gear/gil.
Author:  Lithorn2 [ Sun Jan 12, 2020 1:16 am ]
Post subject:  Re: One time password or Authorize login
I don't fully know how I got compromised. My password was used on a few sites that had no real relation to nasomi yet they still got me. Its still my fault for using a password more than once, I got into the habit of something easy to remember. I'll be lucky to play Lithorn again. I kinda wish there was a third option that didn't rely on the forum for authentication though. How hard would it be to set up authentication not with email but with programs like Authy? or WinAuth. I use Winauth basically for a ton of things, and its on my desktop tucked away so it would be hard for them to get at it. Maybe even a phone version? Is any of this possible?

From what I saw on the logs posted to me about my character, the outside access seemed to stop after I changed my forum pass and character passwords. So they could either be waitin to try again or the forum isn't the culprit is what I think. Still, I'd like to put faith into my own hands if I could, though I will accept any measure done by nas's judgement.
Author:  Psxpert [ Sat Feb 01, 2020 4:30 am ]
Post subject:  Re: One time password or Authorize login
Passwords are like your car keys, their yours: KEEP THEM SECURE, be responsible for your own. The benefit of passwords is it's a key you can change, so keep a reminder and change it every month, week, time you log in / out?
It's a FTP MMO, don't make it so complicated.
Author:  CaptainCrunch [ Thu Jun 25, 2020 6:31 pm ]
Post subject:  Re: One time password or Authorize login
A little late to the conversation, but have you considered using a Radius server for 2FA such as the open source version, FreeRadius?

https://freeradius.org/
Author:  moonlightspirit [ Sat Sep 19, 2020 12:44 am ]
Post subject:  Re: One time password or Authorize login
how do we log into the play online I'm totally new to this I mean Need to play online Id and password. To get in where do I find these?
Author:  CosignCody [ Tue Dec 29, 2020 2:27 pm ]
Post subject:  Re: One time password or Authorize login
Maybe just use 2F for making changes to the account, the forum account itself. Which should honestly just be an email verification? Cant be that hard to do that lol. If your email pw is the same as your nas pw then there is no helping you :/
Author:  Besalynus [ Thu Aug 26, 2021 11:31 am ]
Post subject:  Re: One time password or Authorize login
Yo! Have y’all ever watched a movie where there are super cool characters that can hack into anything, including bank accounts and credit cards? Well then guess what? Turn out it is absolutely possible to hack into credit cards haha. Long story short, my big brother kinda pissed me off so I decided to pull a prank and “steal” all the money from his account. Just like everybody on this earth, I googled how to hack credit card lol. And I did find something useful there hehe. What can I say, my brother completely fell for that, totally freaked out and believed for 2 weeks that some old dude stole money from him while the truth is his money was in my hands
Page 4 of 4 All times are UTC
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/